But how do these antivirus programs actually work? How can they detect shady programs that are installed onto your system because they misled you or you did it by accident? Considering that by now, there have probably been over a million different malware programs created, it is impossible to keep track of them all. Yet somehow, most good antivirus programs can detect nearly all of them.
There are actually quite a few methods that antivirus programs implement to detect malware. Obviously, not all methods are probably known to prevent creators of malware from finding workarounds, but some of the known methods are still interesting. Some antivirus programs use hashing to detect any unwanted files or unwanted changes to files. Essentially, an antivirus will save a hash code for every single file in your system each time it scans. If the data of the file is even slightly modified, then when an antivirus goes back to scan the file, it will produce a different hash code from the one stored. This is no big deal most of the time, since a user is always altering files. However, the antivirus “becomes suspicious” if a file that hasn’t been altered by the user has suddenly had its data changed. That must mean that something that is not a normal process on the computer must have altered that file, which points to a potential malware infection.
Another similar process that antiviruses may use when scanning is checking the size of each file. Similar to the hashing method, each time an antivirus scans your computer, it may save the file sizes of each file it ran through. If a file’s size suddenly got larger even though the user didn’t tamper with it, that is extremely suspicious. That most likely means that the code injected into your system has been stored in that file, and this will raise a major red flag for your antivirus.
A pretty simple method of detecting malware that is implemented often is to gather any sort of signatures that always appear for a particular virus and put them within a database that the antivirus program can check. If a file contains one of the signatures listed in the database, then it is likely that that file has the specific malware within it. For example, say the “bug worm” virus always has a “jmp r23 ;executing worm” line of assembly code as the very first line. The antivirus will “learn” that everytime the “bug worm” is found, that specific line always starts the code. So, the antivirus will save it within its database. Next time it finds the “bug worm”, it will know for sure because it can reference the data base and see the signature line. This method could even work for viruses that attempt to encrypt themselves to make them harder to find, as the encrypted code could possibly be the exact same every time.
Interestingly, many other methods of detecting malware revolve around finding signatures. You wouldn’t think it would be that simple, but it is. Most well-written pieces of malware change their signature or throw in “junk” to the malicious code to make it harder for a computer to tell that the code is actually bad. Thus, antiviruses will sometimes use algorithms in an attempt to strip away the junk code that might not make any sense in an attempt to find a recognizable signature. Occasionally, behind all the junk, a pattern that is in the database may be found, pointing to that specific file as containing malware.
Detecting malware has become easier but at the same time harder as time has gone on. Viruses and other types of malware have become more complex and harder to detect, yet the methods used to discover these malware have improved as well. The war between anti viruses and malware is a very quiet, but important war. It is important that the “good guys” stay ahead of the game so that they can infiltr...I mean protect people’s computers from potentially devastating programs.
Just always remember these few tips to avoid getting lots of malware on your computer: install an antivirus and use it regularly, when downloading something uncheck all of the “optional” add-ons, don’t download something from an untrusted site, and most importantly, don’t call those damn numbers that popup on your browser when a “you have a virus!” message comes up. They are scammers who ruin people’s lives by stealing their money. If you follow the above tips, you should be good to go.